diff --git a/readme.md b/readme.md index 5dbee56..48b9a32 100644 --- a/readme.md +++ b/readme.md @@ -36,9 +36,21 @@ Includes dry-run validation and systemd timer setup when supported. - Enables systemd timers if `systemctl` is available - Does **not** run any updates itself or reboot your system directly +## Kernel Update Policy + +By default, this script **permits installation of updated kernels** if they match the configured origins (e.g., `-updates`, `-security`). +If you prefer to exclude kernel packages from automatic updates, add the following to `/etc/apt/apt.conf.d/50unattended-upgrades`: + +```conf +Unattended-Upgrade::Package-Blacklist { + "linux-image"; + "linux-headers"; +}; +``` + ## Example Output -``` +```sh [INFO] Unattended-upgrades configurator (Debian/Ubuntu) [INFO] Detected OS: Debian GNU/Linux 12 (bookworm) [INFO] Updating APT cache… @@ -62,34 +74,32 @@ sudo ./setup-auto-updates.sh ## Customization -To change the default reboot time: +- **Reboot Time:** + ```bash + sudo REBOOT_TIME="03:30" ./setup-auto-updates.sh + ``` +- **Exclude Third-Party Updates:** + Use `/etc/apt/apt.conf.d/60unattended-thirdparty` to add `site=...` patterns. -```bash -sudo REBOOT_TIME="03:30" ./setup-auto-updates.sh -``` +## Systemd Timers Enabled -To run without dry-run validation (not recommended), you can comment out or modify the `validate_with_dryrun()` function. - -## Notes - -- If APT is locked by another process, the script waits up to 3 minutes before proceeding -- Dry-run validation logs are saved to `/tmp/unattended-upgrades-dryrun.*` -- The script confirms presence of `systemctl` before enabling timers -- Automatically overwrites existing configuration files with no backup: - - `/etc/apt/apt.conf.d/50unattended-upgrades` - - `/etc/apt/apt.conf.d/20auto-upgrades` +- `apt-daily.timer` – Regular APT metadata refresh +- `apt-daily-upgrade.timer` – Executes `unattended-upgrades` daily ## Self-Delete Behavior -At the end of the script, a prompt asks if you'd like to remove the `.sh` file that was just executed. -This helps keep systems tidy after one-time provisioning. +At the end of the script, you’ll be asked: + +> Script successful. Do you wish to delete this script? + +This helps keep your directory tidy after one-time provisioning. ## Limitations -- Does not configure granular package exclusions or holds -- Will not trigger updates or reboots itself; configuration only -- Does not install `powermgmt-base`, so power-check warnings may appear on laptops -- Not compatible with non-Debian distributions (e.g., Fedora, Arch) +- Does not configure granular package pinning or holds +- Does not auto-install non-origin packages (e.g., third-party repos) unless explicitly configured +- Power-check skipped (optional `powermgmt-base` not installed) +- Not compatible with non-Debian-based distributions (e.g., Fedora, Arch) ## License